06-09-2009 06:14 AM - edited 03-04-2019 05:02 AM
Dear All,
I have Head office and Branch offices connected using MPLS VPN. It is not fully meshed, It is Hub & Spoke Topology
Now I am able communicate between branch offices and Headoffices.
But I want communication between Branch offices thru Head office (Not direct connection between Branch offices). I want to configure ACLS in Headoffice CE Router to block/allow some traffic between branchoffices.
I am aware that in Point-point Hub & spoke topology, it is possible. But in MPLS how it has to be done. The reason for raising this point is, When Traffic is destined from Branch-1 CE Router to Branch-2 CE Router, it get routed in
PE-3 Router itself and not via Head Office CE Router.
Then how to achieve this. Please help
RBK
Solved! Go to Solution.
06-09-2009 08:48 AM
It won't because the traffic is MPLS switched up to the CE.
The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.
HTH
Laurent.
06-09-2009 06:15 AM
06-09-2009 06:38 AM
Hi RBK,
To deploy a HUb&Spoke VPN, you need two different RTs. One (RT1) will be used by PE-3 to export the Hub prefixes and an aggregate route of spoke prefixes (or a default-route).
The other RT (RT2) will be used by the remote PE to export the spoke prefixes.
So your PE configuration should look like:
PE-3:
ip vrf customer
import RT2
export RT1
!
PE-1 and PE-2:
ip vrf customer
import RT1
export RT2
!
PE-1 and PE-2 import routes only exported by PE-3
This way, all your spoke-to-spoke traffic will go through your HUB CE.
If you have several spokes connected to the same PE, you will need one VRF per spoke to avoid local switching.
HTH
Laurent.
06-09-2009 07:58 AM
Hi Laurent,
Your reply is helpful to understand the logic. I appreciate
But still i am not clear in a basic concept. That is, If the traffic is sent from BRANCH-1 CE destined to BRANCH-2 CE, wont it routed in PE-3 itself bypassing HEAD OFFICE CE?.
RBK
06-09-2009 08:48 AM
It won't because the traffic is MPLS switched up to the CE.
The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.
HTH
Laurent.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: